apple-data 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/share/4cc.yaml +295 -0
- data/share/apns.yaml +386 -0
- data/share/backup.yaml +45 -0
- data/share/baseband.yaml +4 -0
- data/share/bluetooth.yaml +76 -0
- data/share/boot_args.yaml +856 -0
- data/share/bridgeos.yaml +165 -0
- data/share/bundles.yaml +61 -0
- data/share/cores.yaml +1738 -0
- data/share/credits.yaml +6222 -0
- data/share/dnssd.yaml +289 -0
- data/share/fdr.yaml +171 -0
- data/share/homekit.yaml +15 -0
- data/share/icloud.yaml +9 -0
- data/share/img4.yaml +456 -0
- data/share/ioreg.yaml +5643 -0
- data/share/ipsw.yaml +1101 -0
- data/share/kext.yaml +1719 -0
- data/share/launchd/services_bridgeOS_6.1.yaml +1323 -0
- data/share/lightning.yaml +35 -0
- data/share/lockdownd.yaml +79 -0
- data/share/mach_o.yaml +428 -0
- data/share/mobile_assets.yaml +964 -0
- data/share/mobile_gestalt.yaml +2446 -0
- data/share/nvram.yaml +442 -0
- data/share/ota.yaml +9 -0
- data/share/pki.yaml +170 -0
- data/share/platforms.yaml +32 -0
- data/share/pmu.yaml +30 -0
- data/share/registers.yaml +2527 -0
- data/share/resources.yaml +199 -0
- data/share/sep.yaml +210 -0
- data/share/services.yaml +638 -0
- data/share/syscfg.yaml +1 -0
- metadata +78 -0
@@ -0,0 +1,199 @@
|
|
1
|
+
---
|
2
|
+
- url: https://github.com/alephsecurity/xnu-qemu-arm64/wiki/Build-iOS-on-QEMU
|
3
|
+
title: Run iOS on QEMU
|
4
|
+
type: article
|
5
|
+
- url: https://github.com/onethawt/idaplugins-list
|
6
|
+
title: onethawt's list of IDA plugins
|
7
|
+
type: article
|
8
|
+
- url: https://github.com/AllsafeCyberSecurity/awesome-ghidra
|
9
|
+
title: Awesome Ghirda Plugins
|
10
|
+
type: article
|
11
|
+
- url: https://blog.t8012.dev/ace-part-1/
|
12
|
+
title: USB-C Port Controller (ACE) Secrets
|
13
|
+
type: article
|
14
|
+
- url: http://ramtin-amin.fr/#tristar
|
15
|
+
title: Ramtin Amin's Tristar Reverse Engineering
|
16
|
+
type: article
|
17
|
+
- url: https://nyansatan.github.io/lightning/
|
18
|
+
title: Nyan Satin's Lightning Reverse Engineering
|
19
|
+
type: article
|
20
|
+
- url: Ramtin Amin's NVMe PCIe Reverse Engineering
|
21
|
+
title: http://ramtin-amin.fr/#nvmepcie
|
22
|
+
type: article
|
23
|
+
- url: http://ramtin-amin.fr/#nvmedma
|
24
|
+
title: Ramtin Amin's NVMe DMA Reverse Engineering
|
25
|
+
type: article
|
26
|
+
- url: https://github.com/hack-different/mootool
|
27
|
+
type: repo
|
28
|
+
name: mootool
|
29
|
+
description: FOSS Ruby Mach-O Tool (aims to replicate jtool2 feature set)
|
30
|
+
categories:
|
31
|
+
- tool
|
32
|
+
- re
|
33
|
+
- ruby
|
34
|
+
- url: https://github.com/cxnder/ktool
|
35
|
+
type: repo
|
36
|
+
name: ktool
|
37
|
+
description: FOSS Python Mach-O Tool
|
38
|
+
categories:
|
39
|
+
- tool
|
40
|
+
- re
|
41
|
+
- python
|
42
|
+
- url: https://github.com/checkra1n/toolchain
|
43
|
+
type: repo
|
44
|
+
name: checkra1n-toolchain
|
45
|
+
description: Toolchain used to compile checkra1n and pongoOS
|
46
|
+
categories:
|
47
|
+
- toolchain
|
48
|
+
- c
|
49
|
+
- url: https://github.com/alephsecurity/xnu-qemu-arm64
|
50
|
+
type: repo
|
51
|
+
name: alephsecurity/xnu-qemu-arm64
|
52
|
+
description: QEMU branch for emulating iOS / XNU on arm64
|
53
|
+
categories:
|
54
|
+
- emulation
|
55
|
+
- c
|
56
|
+
- xnu
|
57
|
+
- url: https://github.com/alephsecurity/xnu-qemu-arm64-tools
|
58
|
+
type: repo
|
59
|
+
name: alephsecurity/xnu-qemu-arm64-tools
|
60
|
+
description: Tooling to prepare an image for QEMU
|
61
|
+
categories:
|
62
|
+
- tool
|
63
|
+
- emulation
|
64
|
+
- url: https://github.com/cellebrite-srl/ida_kernelcache
|
65
|
+
type: repo
|
66
|
+
name: cellebrite-srl/ida_kernelcache
|
67
|
+
description: IDA plugin for XNU kernelcaches
|
68
|
+
categories:
|
69
|
+
- ida_plugin
|
70
|
+
- disassembly
|
71
|
+
- re
|
72
|
+
- url: https://github.com/cellebrite-srl/PacXplorer
|
73
|
+
type: repo
|
74
|
+
name: cellebrite-srl/PacExplorer
|
75
|
+
description: IDA plugin for pointer authentication
|
76
|
+
categories:
|
77
|
+
- ida_plugin
|
78
|
+
- disassembly
|
79
|
+
- re
|
80
|
+
- url: https://github.com/cellebrite-srl/FunctionInliner
|
81
|
+
type: repo
|
82
|
+
name: cellebrite-srl/FunctionInliner
|
83
|
+
description: IDA plugin for function inlining
|
84
|
+
categories:
|
85
|
+
- ida_plugin
|
86
|
+
- disassembly
|
87
|
+
- re
|
88
|
+
- url: https://github.com/0x36/ghidra_kernelcache
|
89
|
+
type: repo
|
90
|
+
name: 0x36/ghidra_kernelcache
|
91
|
+
description: Ghidra plugin for XNU kernel caches
|
92
|
+
categories:
|
93
|
+
- ghidra_plugin
|
94
|
+
- disassembly
|
95
|
+
- re
|
96
|
+
- url: https://github.com/blacktop/ipsw
|
97
|
+
type: repo
|
98
|
+
name: blacktop/ipsw
|
99
|
+
description: Swiss army knife for IPSWs
|
100
|
+
categories:
|
101
|
+
- tool
|
102
|
+
- url: https://github.com/checkra1n/pongoOS
|
103
|
+
type: repo
|
104
|
+
name: pongoOS
|
105
|
+
- url: https://github.com/t8012/demuxusb
|
106
|
+
type: repo
|
107
|
+
name: DeMuxUSB - USBMuxD disector
|
108
|
+
- url: https://github.com/libimobiledevice/usbmuxd
|
109
|
+
type: repo
|
110
|
+
name: open source usbmuxd implementation from libimobiledevice
|
111
|
+
- url: https://github.com/libimobiledevice/libimobiledevice
|
112
|
+
type: repo
|
113
|
+
name: libimobiledevice
|
114
|
+
- url: https://github.com/libimobiledevice/libirecovery
|
115
|
+
type: repo
|
116
|
+
name: libirecovery - low level iBoot / DFU handler
|
117
|
+
- url: https://github.com/libimobiledevice/idevicerestore
|
118
|
+
type: repo
|
119
|
+
name: idevicerestore - open source Apple device restore tool
|
120
|
+
- url: https://github.com/rickmark/apple_utdm
|
121
|
+
type: repo
|
122
|
+
name: UTDM - USB Target Disk Mode
|
123
|
+
- url: https://github.com/rickmark/macvdmtool
|
124
|
+
type: repo
|
125
|
+
name: MacVDMTool and Library - USB-PD Vendor Defined Messsages
|
126
|
+
- url: https://github.com/gh2o/rvi_capture
|
127
|
+
type: repo
|
128
|
+
name: Apple Remote Virtaul Interface
|
129
|
+
- url: https://github.com/osy/ThunderboltPatcher
|
130
|
+
type: repo
|
131
|
+
name: Thunderbolt Patcher by osy
|
132
|
+
- url: https://github.com/rickmark/awdd_decode
|
133
|
+
type: repo
|
134
|
+
name: Apple Wireless Diagnostics logging decode
|
135
|
+
- url: https://github.com/mikebrady/shairport-sync
|
136
|
+
type: repo
|
137
|
+
name: Shareport - AirPlay2 implementation
|
138
|
+
- url: https://github.com/rickmark/libibackup
|
139
|
+
type: repo
|
140
|
+
name: open source iOS backup library
|
141
|
+
- url: https://github.com/iineva/bom
|
142
|
+
type: repo
|
143
|
+
name: BOM - Bill of Materials by NeXT / Apple
|
144
|
+
- url: https://github.com/libimobiledevice/libplist
|
145
|
+
type: repo
|
146
|
+
name: Open source plist implementation
|
147
|
+
- url: https://github.com/josephw/titl
|
148
|
+
type: repo
|
149
|
+
name: Open Source iTunes Library Parser
|
150
|
+
- url: https://github.com/sbingner/ldid
|
151
|
+
type: repo
|
152
|
+
name: SBinger's fork of the ldid link editor
|
153
|
+
- url: https://github.com/t8012/efivalidate
|
154
|
+
type: repo
|
155
|
+
name: T1 and prior EFI firmware verification
|
156
|
+
- url: https://github.com/hekapooios/hekapooios.github.io
|
157
|
+
type: repo
|
158
|
+
name: List of all SecureROM / SEPROMs
|
159
|
+
- url: https://github.com/seemoo-lab/openwifipass
|
160
|
+
type: repo
|
161
|
+
name: Apple WiFi Password Sharing Implementation
|
162
|
+
- url: https://github.com/t8012/smcutil
|
163
|
+
type: repo
|
164
|
+
name: Create SMC binaries from update payloads
|
165
|
+
- url: https://github.com/acidanthera/VirtualSMC
|
166
|
+
type: repo
|
167
|
+
name: Virtual SMC implementation for Clover
|
168
|
+
- name: IDA - The Intellegent Disassembler
|
169
|
+
type: tool
|
170
|
+
url: https://hex-rays.com/ida-pro/
|
171
|
+
- name: VisUAL ARM Simulator
|
172
|
+
type: tool
|
173
|
+
url: https://salmanarif.bitbucket.io/visual/index.html
|
174
|
+
- name: Ghidra Disassembler
|
175
|
+
type: tool
|
176
|
+
url: https://ghidra-sre.org
|
177
|
+
open_source: true
|
178
|
+
- name: Hopper Disassembler
|
179
|
+
type: tool
|
180
|
+
url: https://www.hopperapp.com
|
181
|
+
- name: jtool2 by Levin
|
182
|
+
type: tool
|
183
|
+
url: https://www.newosxbook.com/tools/jtool.html
|
184
|
+
- name: Frida - Dynamic instrumentation toolkit for developers
|
185
|
+
url: https://frida.re/
|
186
|
+
type: tool
|
187
|
+
open_source: true
|
188
|
+
- name: libimobiledevice - open source Apple / iTunes implementation
|
189
|
+
type: tool
|
190
|
+
url: https://libimobiledevice.org
|
191
|
+
- url: https://developer.apple.com/library/content/documentation/Darwin/Conceptual/KernelProgramming
|
192
|
+
type: article
|
193
|
+
title: Apple - Kernel Programming Guide
|
194
|
+
- url: https://developer.apple.com/library/content/documentation/DeviceDrivers/Conceptual/IOKitFundamentals
|
195
|
+
type: article
|
196
|
+
title: Apple - IOKit Fundamentals
|
197
|
+
- url: https://developer.apple.com/library/content/documentation/Performance/Conceptual/ManagingMemory/Articles/AboutMemory.html
|
198
|
+
type: article
|
199
|
+
title: Apple - Virtual Memory System
|
data/share/sep.yaml
ADDED
@@ -0,0 +1,210 @@
|
|
1
|
+
---
|
2
|
+
services:
|
3
|
+
- service: SEPD # Incorrect: fixed at ID 0, sepd is a play on launchd
|
4
|
+
fixed_endpoint: 0
|
5
|
+
xnu_name: AppleSEPControl
|
6
|
+
xnu_kext: AppleSEPManager
|
7
|
+
opcodes:
|
8
|
+
- id: 0
|
9
|
+
const: kOpCode_NOP
|
10
|
+
description: No operation
|
11
|
+
- id: 2
|
12
|
+
const: kOpCode_SET_OOL_IN_ADDR
|
13
|
+
description: set the address of a block of AP memory to be transfered to the SEP for the next request
|
14
|
+
- id: 3
|
15
|
+
const: kOpCode_SET_OOL_OUT_ADDR
|
16
|
+
description: set the address of a block of AP memory to be used to return the result of a given SEP response
|
17
|
+
- id: 4
|
18
|
+
const: kOpCode_SET_OOL_IN_SIZE
|
19
|
+
description: set the size of the memory block to be transfered to the endpoint as a parameter
|
20
|
+
- id: 5
|
21
|
+
const: kOpCode_SET_OOL_OUT_SIZE
|
22
|
+
description: set the size of the memory block allocated to the be written to as a response to a SEP request
|
23
|
+
- id: 10
|
24
|
+
const: kOpCode_TTYIN
|
25
|
+
- id: 12
|
26
|
+
const: kOpCode_Sleep
|
27
|
+
description: put the SEP into low power and wait for an external IRQ
|
28
|
+
- id: 19
|
29
|
+
name: kOpCode_Nap
|
30
|
+
description: put the SEP into low power and wake after a timeout
|
31
|
+
- id: 0x14
|
32
|
+
const: kOpCode_SECMODE_REQUEST
|
33
|
+
description: get the current effective security mode of the SEP
|
34
|
+
- id: 0x18
|
35
|
+
const: kOpCode_SELFTEST
|
36
|
+
description: perform diagnostics and internal consistancy checks on the the SEP
|
37
|
+
- id: 0x25
|
38
|
+
name: kOpCode_ERASE_INSTALL
|
39
|
+
description: Queue the system for a wipe and install of IPSW
|
40
|
+
- id: 0x26
|
41
|
+
const: kOpCode_L4_PANIC
|
42
|
+
description: Panic the L4 microkernel
|
43
|
+
- id: 0x27
|
44
|
+
const: kOpCode_SEPOSPANIC
|
45
|
+
description: Panic the SEPOS
|
46
|
+
- service: slog # Incorrect: notknown - Sep logging service
|
47
|
+
description: SEP logging service
|
48
|
+
xnu_name: AppleSEPLogger
|
49
|
+
xnu_kext: AppleSEPManager
|
50
|
+
- service: arts # Incorrect: ART storage
|
51
|
+
description: Anti-replay Token Storage
|
52
|
+
xnu_name: AppleSEPARTStorage
|
53
|
+
xnu_kext: AppleSEPManager
|
54
|
+
- service: artr # Incorrect: not known - SEP anti-replay storage
|
55
|
+
description: Anti-replay token request
|
56
|
+
xnu_name:
|
57
|
+
- service: sepS
|
58
|
+
description: SEP services endpoint
|
59
|
+
- service: sbio
|
60
|
+
description: Secure Biometic Services
|
61
|
+
- service: skgs
|
62
|
+
description: Secure Key Generation Service
|
63
|
+
- service: xarm
|
64
|
+
description: xART
|
65
|
+
- service: xars
|
66
|
+
description: xART
|
67
|
+
- service: cntl
|
68
|
+
description:
|
69
|
+
- service: sidv
|
70
|
+
description:
|
71
|
+
- service: test
|
72
|
+
description: Test Service
|
73
|
+
- service: sars
|
74
|
+
description: Secure Anti-Replay Service
|
75
|
+
- service: enti
|
76
|
+
description: Entitlement Service
|
77
|
+
- service: debg # Incorrect: not known
|
78
|
+
description: Debug
|
79
|
+
xnu_name: AppleSEPDebug
|
80
|
+
xnu_kext: AppleSEPManager
|
81
|
+
- service: sks\0
|
82
|
+
description: Secure Key Storage (AppleKeyStore)
|
83
|
+
xnu_name: AppleSEPKeyStore
|
84
|
+
xnu_kext: AppleSEPKeyStore
|
85
|
+
- service: sse\0
|
86
|
+
description: Proxy access to the SE (secure element)
|
87
|
+
xnu_kext: AppleSSE
|
88
|
+
- service: scrd
|
89
|
+
description: Secure Credential Manager (AppleCredentialStore)
|
90
|
+
xnu_kext: AppleCredentialManager
|
91
|
+
- service: lpol # Incorrect: unknown
|
92
|
+
name: boot_policy # Incorrect: not known yet
|
93
|
+
description: Manage Apple Silicon macOS boot policy
|
94
|
+
opcodes:
|
95
|
+
- id: 2
|
96
|
+
name: begin_update_policy
|
97
|
+
description: Begin a boot policy update operation
|
98
|
+
- id: 3
|
99
|
+
name: end_update_policy
|
100
|
+
- service: disc # Incorrect - not known
|
101
|
+
fixed_endpoint: 253
|
102
|
+
name: discovery # Incorrect: not 4CC
|
103
|
+
description: >-
|
104
|
+
First advertise, then expose
|
105
|
+
|
106
|
+
`id` is endpoint number
|
107
|
+
`name` is `'scrd'` or `'sks\0'` for example. (4 char code)
|
108
|
+
|
109
|
+
struct app_info
|
110
|
+
{
|
111
|
+
uint64_t physical_addr;
|
112
|
+
uint32_t virtual_base;
|
113
|
+
uint32_t size;
|
114
|
+
uint32_t entry;
|
115
|
+
uint8_t name[12];
|
116
|
+
uint8_t hash[16];
|
117
|
+
}
|
118
|
+
opcodes:
|
119
|
+
- id: 0
|
120
|
+
name: advertise
|
121
|
+
request_struct: |
|
122
|
+
// Credit: ntrung03
|
123
|
+
struct ep_advertise_data {
|
124
|
+
uint8_t id; /* param */
|
125
|
+
uint32_t name; /* data, Apple 4CC for the applet name */
|
126
|
+
};
|
127
|
+
- id: 1
|
128
|
+
name: expose
|
129
|
+
request_struct: |
|
130
|
+
// Credit: ntrung03
|
131
|
+
struct ep_expose_data {
|
132
|
+
uint8_t id; /* param */
|
133
|
+
char ool_in_min_pages;
|
134
|
+
char ool_in_max_pages;
|
135
|
+
char ool_out_min_pages;
|
136
|
+
char ool_out_max_pages;
|
137
|
+
};
|
138
|
+
- service: krnl # Incorrect: not known yet
|
139
|
+
fixed_endpoint: 254
|
140
|
+
name: L4info
|
141
|
+
opcodes:
|
142
|
+
- id: 0
|
143
|
+
name: L4_Ipc
|
144
|
+
desciption: Set up ipc between two threads
|
145
|
+
- id: 4
|
146
|
+
name: L4_ThreadSwitch
|
147
|
+
description: Yield execution to thread
|
148
|
+
- id: 8
|
149
|
+
name: L4_ThreadControl
|
150
|
+
description: Create or delete threads
|
151
|
+
privileged: true
|
152
|
+
- id: 0xC
|
153
|
+
name: L4_ExchangeRegisters
|
154
|
+
description: Exchange registers
|
155
|
+
- id: 0x10
|
156
|
+
name: L4_Schedule
|
157
|
+
description: Set thread scheduling information
|
158
|
+
- id: 0x14
|
159
|
+
name: L4_MapControl
|
160
|
+
description: Map or free virtual memory
|
161
|
+
privileged: true
|
162
|
+
- id: 0x18
|
163
|
+
name: L4_SpaceControl
|
164
|
+
description: Create a new address space
|
165
|
+
privileged: true
|
166
|
+
- id: 0x1C
|
167
|
+
name: L4_ProcessorControl
|
168
|
+
description: Sets processor attributes
|
169
|
+
- id: 0x20
|
170
|
+
name: L4_CacheControl
|
171
|
+
description: Cache flushing
|
172
|
+
- id: 0x24
|
173
|
+
name: L4_IpcControl
|
174
|
+
description: Adjust IPC access
|
175
|
+
privileged: true
|
176
|
+
- id: 0x28
|
177
|
+
name: L4_InterruptControl
|
178
|
+
description: Enable or disable an interrupt
|
179
|
+
privileged: true
|
180
|
+
- id: 0x2C
|
181
|
+
name: L4_GetTimebase
|
182
|
+
description: Gets the system time
|
183
|
+
- id: 0x30
|
184
|
+
name: L4_SetTimeout
|
185
|
+
description: Set timeout for IPC sessions
|
186
|
+
- id: 0x34
|
187
|
+
name: L4_SharedMappingControl
|
188
|
+
description: Set up a shared mapping
|
189
|
+
privileged: true
|
190
|
+
- id: 0x38
|
191
|
+
name: L4_SleepKernel
|
192
|
+
description: cause the SEP kernel to sleep until an external inturupt occurs
|
193
|
+
- id: 0x3C
|
194
|
+
name: L4_PowerControl
|
195
|
+
- id: 0x40
|
196
|
+
name: L4_KernelInterface
|
197
|
+
description: Get information about the running L4 kernel
|
198
|
+
- service: sepr # Incorrect: not known yet
|
199
|
+
fixed_endpoint: 255
|
200
|
+
name: seprom # Incorrect: not 4CC - name not important as it is always at 255
|
201
|
+
opcodes:
|
202
|
+
- id: 01
|
203
|
+
name: ping
|
204
|
+
description: request a pong from the SEP
|
205
|
+
- id: 0x0F
|
206
|
+
name: panic
|
207
|
+
description: Common to all Apps, panic
|
208
|
+
- id: 10
|
209
|
+
name: random
|
210
|
+
description: get random bytes from the SEP
|